Quick Launch

This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates

Computing resources are for all users. Users must respect the usage rights of others that use UofL resources.

Computing accounts and facilities must not be used in any manner which could be disruptive, degrade the performance of or cause damage to university computing infrastructure, resources or data and/or other users. Personal use should be kept to a minimum and in no case should a university account be used for non-university business purposes.

REASON FOR POLICY

University computer user accounts and computing facilities are provided for persons who legitimately need access to university computing resources. This includes university faculty, staff and students. Other persons may qualify for a computer user account and access to computing facilities on a case by case basis.Accounts and facilities must be utilized in accordance with law and University policy.

RELATED INFORMATION/STANDARDS

Confidentiality of Data

Sensitive Informationmust not be accessed, copied or disseminated except to the extent necessary to fulfill assigned responsibilities, and then only to the extent that the individual is authorized.

The confidentiality, security and integrity of the university data and computing infrastructure must be maintained at all times by university personnel. This obligation continues beyond the termination of the individual's relationship with the university.

Intellectual Property

Adherence to all federal copyright laws, regulations and university policy on intellectual policy is required. This includes but is not limited to laws, regulations and policy on text, graphics, art, photographs, music, software, movies and games.

Users must respect the property rights and associated restrictions of others and refrain from actions or access which would violate the terms of licensing and nondisclosure agreements.

Safeguarding and Misuse of Computing Accounts or Computing Infrastructure

Safeguarding of access codes and passwords to protect against unauthorized use and notification of Information Technology of suspected unauthorized use is required.

Unauthorized use of the accounts and knowingly allowing use of the accounts for unauthorized purposes is not permitted.

Misuse of university computing accounts or computing infrastructure is not tolerated. Generally, behavior considered unacceptable if done without a computer is also unacceptable if done using a computer. Examples of misuse include, but should not be construed as being limited to: harassment, unauthorized hacking of computing systems, denial of service attacks, spoofing of identity, chain letter distribution, solicitation of non-university business and obscene language.

Expectation of Privacy and Disclosure

Privacy of computing activities while using university resources is neither guaranteed nor should it be expected:

User access, security, audit and other logs are maintained to facilitate compliance with laws and regulations as well as to facilitate activity reviews when necessary.

Access may be given to persons outside of the university community on a case-by-case basis or under certain conditions when warranted. Disclosure of this information may not be given to the individual(s) involved.

The University of Louisville does not guarantee the confidentiality or privacy of electronic data or voice mail messages. This should be kept in mind when using these services.

Third party vendors are involved with both internet and voice mail data. All users of electronic data and voice mail should familiarize themselves with policies set forth by these vendors.

Faculty, staff, administrators and students should regularly check their university email accounts for correspondence.

The University of Louisville does not allow anyone to send email to large numbers of employees and/or students in the University without prior approval. To send a mass email (greater than 100 recipients), your message must be approved by the Department of Communications and Marketing (see Information Technology's mass email guidelines).

Employees should not use email in a manner that degrades or interferes with job performance or duties.

Sensitive information requires special precautions when emailing. If sensitive information is being emailed outside the university network, it must be sent using the university's secure email system. Emails containing sensitive information must not be automatically forwarded.

Mail forwarded from a user's account to any other account or email address is the responsibility of the user.

Complaints regarding misuse or misconduct will be investigated. Note: The intent of the communication along with the perspective of the recipient is considered during investigations.

Electronic mail use is monitored for resource consumption and storage management.

"Email for life" users and other email users must not use their UofL email address to misrepresent their affiliation with the university.

Administrative Standards:

General

Requests for user accounts must be submitted in writing and approved by authorized personnel.

Access to additional required resources not provided upon account creation can be requested by completing the appropriate IT account request form.

Access to a university business application or data may be denied if the appropriately completed authorization does not accompany the request.

Access to information is granted based on owner authorization, position requirements, job duties and the principle of least privilege and need-to-know.

Account creation and granting of access privileges can only be done by explicitly authorized personnel.

Accounts should conform to the university's standard naming convention, be unique to each user and not reused for a period of 12 months.

Upon termination or reassignment, management must notify appropriate parties such as HR, Facilities and IT to ensure that all access to information or to restricted areas is revoked or removed including the deactivation or changing of known passwords or passcodes.

Accounts that are dormant or inactive should be disabled after no more than 180 days. Disabled accounts are deleted after 30 days of inactivity.

Student Account Requests

Students must be registered for classes to request and retain a computer user account.

Student user accounts will automatically be renewed each Fall and Spring semester, if registration is continuous (students registered in the Spring will be able to retain their account over the Summer semester).

After 2 years of non-registration, the student's user account will be placed on hold for a period of nine months. After 9 months, the account will be deleted.

Student email accounts will remain open during enrollment and thereafter for 2 years beginning the first semester not enrolled.

Upon graduation, students may request an email for life account which will remain open.

Employee Account Requests

Accounts will be closed immediately upon termination of employment and all contents from the account deleted after one month.

Retirees can keep their accounts after retirement. If the account has not been accessed in 6 months the account will be closed and the mail will be deleted in 30 days.

Sponsored Account Requests

Sponsored accounts may be granted to individuals external to the University of Louisville under the following conditions:

A specific relationship exists with a university unit or individual in support of a university mission, function, project or business.

A university unit or individual is willing to sponsor (be responsible for) the individual's computer account.

Sponsored accounts will be reviewed annually as a group to determine whether renewal is necessary.

Sponsored accounts can only be requested by full-time faculty, staff or administrators.

Sponsored accounts must be restricted to have access to only the information and facilities required for the specified purpose and as authorized by the appropriate university designee.

Service Account Requests

Service accounts are granted to University of Louisville units and departments under the following conditions:

The purpose is directly related to university mission, function, project or business;

A need exists to share access to an account;

A need exists to centrally manage and store electronic communications or data;

All individuals who will use the service account must have their own individual computer account.

Service account requests must be approved and accounts inventoried with documented owner, authorized personnel and business reason.

Service accounts that are shared must be assigned to a single owner who is responsible for requesting changes, managing entitlement, disclosing and changing the password.

A service account is the only exception to the computer account naming standard. A service account can have any descriptive name, indicating its purpose, within eight characters. For example, the Security and Account Management (SAM) team in Information Technology has a service account available for the university community to send questions, comments and problems called askSAMIT@louisville.edu.

Privileged Account Requests

Privileged accounts are granted to individuals, systems, applications, etc. under the following conditions:

The purpose is directly related and restricted to university specific information assets, processes and systems

All individuals who will use a privileged account must also have their own individual computer account

May be granted to authorized development personnel for production emergency situations

Privileged account requests must be approved and accounts inventoried with documented owner, authorized personnel and business reason.

Privileged accounts must be restricted on a least privileged basis to those individuals and/or services that are required per business need.

Termination of an Account

Termination of computer accounts will occur under the following circumstances:

The account holder does not agree to the Computer Account Usage Agreement.

The account holder requests the computer account be closed.

The account holder is no longer affiliated with the university.

The account holder misuses computing facilities or resources.

The department or sponsor requests that the computer account be closed.

Once a computer account has been closed, access to the account or the data contained within it may be granted to University of Louisville individuals to facilitate the transfer of responsibilities or the retrieval of data.

Individuals employed by the University as faculty or other employees who teach courses or are engaged in academic research activities for the University

Visiting faculty who are conducting academic research or teaching courses on a time-limited basis from another institution for the University

An individual, who is teaching courses or conducting academic research activities for the University without salary and is under the control/supervision of the University.See also the University Redbook at http://louisville.edu/provost/redbook/chap3.html

Sensitive Information

Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, grant reviews, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. Sensitive information does not include personal information of a particular individual which that individual elects to reveal (such as via opt-in or opt-out mechanisms) (see Information Management and Classification Standard)

StaffThe staff of the University of Louisville shall consist of all employees of the University who do not hold faculty appointments, are not full-time students enrolled in the University, are not graduate assistants at the University, or are not administrators as defined in Section 2.3.1 of the University Redbook (see http://louisville.edu/provost/redbook/contents.html/chap5.html).

Student

An individual taking a course at the University whether for credit or non-credit who is enrolled for course

An individual who was enrolled at the University for a specific term (e.g., fall, spring, summer semester), who has not graduated, and who is not yet enrolled forthe immediately subsequent term, provided such enrollment is still permitted, and provided further, that where the individual was enrolled at the University for the spring term, the immediate subsequent term shall be the University succeeding fall term. (e.g., (1) a student enrolled in the spring term, who does not graduate at the end of the spring term, may not enroll for the summer term; but will still be a student unless the individual fails to enroll for the succeeding Fall semester, and (2) a student who has completed all other degree requirements but is completing a dissertation/thesis.)

An individual who is admitted to the University or an academic program of the University but has not yet commenced the program of study. An admitted student will be included in the definition of student for a period of one-year following the date of admission to the University or an academic program of the University. See the University Redbook at http://louisville.edu/provost/redbook/chap6.html for more information.

User

Includes students, faculty, staff, administrators and other employees of the University of Louisville and its affiliated entities and any other individual having a computer account, email address or utilizing the computer, network or other information technology services of the University of Louisville.

RESPONSIBILITIES

Policy Authority/Enforcement:The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance:Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.

Approved July 23, 2007 by the Compliance Oversight CouncilShirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council